Protected object policies

Protected object policies

ACL policies provide the authorization service with information that results in a yes or no answer on a request to access a protected object and do some operation on that object.
In contrast to ACL policies, protected object policies (POPs) contain additional conditions on the request. The conditions are passed back to ISAM and the resource manager. These conditions are passed along with the yes ACL policy decision from the authorization server. It is the responsibility of ISAM and the resource manager to enforce the POP conditions. The following table lists the available attributes for a POP that are provided by ISAM.

POP attribute Description

Name Name of the policy. This attribute relates to the pop-name variable in the pop command documentation.

Description Descriptive text for the policy. This attribute appears in the pop show command.

Warning mode Provides administrators a means to test ACLs, POPs, and authorization rules. Warning mode provides a way to test security policy before they are made active.

Audit level Type of auditing: all, none, successful access, denied access, or errors. Audit level informs the authorizations service that extra services are required when permitting access to the object.

Time-of-day access Day and time restrictions for successful access to the protected object. Time-of-day places restrictions on the access to the object.

IP endpoint authorization method policy Specifies authorization requirements for access from members of external networks. IP endpoint authorization method policy places restrictions on the access to the object.

EAS trigger attributes Specifies an External Authorization Service (EAS) plug-in that is started to make an authorization decision with the externalized policy logic of the customer.

Quality of Protection Specifies degree of data protection: none, integrity, or privacy. Quality of Protection informs the authorizations service that extra services are required when permitting access to the object.

Although ISAM provides these POP attributes, it enforces only the following attributes:

Name
Description
Warning mode
Audit level
Time-of-day access
Each resource manager or plug-in can optionally enforce one or more of the following attributes:

IP endpoint authorization method policy
EAS trigger attributes
Quality of Protection

The concept of inherited, or sparse ACLs as described in Sparse security policy model also applies to POPs.
Parent topic: Define and apply security policy

POP attribute	Description
Name	Name of the policy. This attribute relates to the pop-name variable in the pop command documentation.
Description	Descriptive text for the policy. This attribute appears in the pop show command.
Warning mode	Provides administrators a means to test ACLs, POPs, and authorization rules. Warning mode provides a way to test security policy before they are made active.
Audit level	Type of auditing: all, none, successful access, denied access, or errors. Audit level informs the authorizations service that extra services are required when permitting access to the object.
Time-of-day access	Day and time restrictions for successful access to the protected object. Time-of-day places restrictions on the access to the object.
IP endpoint authorization method policy	Specifies authorization requirements for access from members of external networks. IP endpoint authorization method policy places restrictions on the access to the object.
EAS trigger attributes	Specifies an External Authorization Service (EAS) plug-in that is started to make an authorization decision with the externalized policy logic of the customer.
Quality of Protection	Specifies degree of data protection: none, integrity, or privacy. Quality of Protection informs the authorizations service that extra services are required when permitting access to the object.